LinkedIn
Twitter
Today we are going to use a time function that can round a time value down to a specific time unit. This function can be used as you build searches and rules in Google SecOps!
Oftentimes, we want to roll time values up by minute, hour, day and the like. While there are other timestamp functions that can do this like timestamp.get_date, timestamp.get_hour, and timestamp.get_minute, additional data manipulation may be required depending on the time range of the data being searched. The timestamp.truncate function simplifies this by taking the field or variable with the timestamp value in it and by specifying the time unit in the second argument, it will round down to the nearest time unit.
If we apply this function to the timestamp displayed, and specified the time unit of hour, our result would be 2024-08-09 12:00:00 in integer form. We would still want to convert it to a nicely displayed format for output but that’s what the timestamp.get_timestamp function is for! This function can group data which can then be used to generate aggregate values and calculations that occurred during a time period.
Follow along in this video to see how we can apply timestamp.truncate to our searches and rules.
timestamp.truncate provides us the ability to take a timestamp value and round it down by specifying the field or variable followed by the time unit. This is used to group or aggregate values in a search or rule that can then be used to calculate additional values based on the data aggregated during that time. While the output of the timestamp.truncate is a rounded epoch value, we can use the timestamp.get_timestamp function to quickly convert that value to a nicely formatted human readable time format of your choosing!
Check out these additional resources with more information and learning opportunities: